625d35e77c1e3dc5d1b17cf57dbe63b99dad002ceff45c1ae97bb1c36d84599a

Analysis

max time kernel
91s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2024 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99da58fce633d2a79fb694433c12efcf.exe
Size

51KB
MD5

99da58fce633d2a79fb694433c12efcf
SHA1

3aba5a6677d087527bd341ec16f41870e89d4f20
SHA256

625d35e77c1e3dc5d1b17cf57dbe63b99dad002ceff45c1ae97bb1c36d84599a
SHA512

583d5391d92a71d1b20ef6924029ee7f76c4d4ac006af6a05cd862c9322b61381e405d2c2c515b95a397fbfa1a0dbc6eeda2eb86dc24a569fe8e20df72a0c4ff
SSDEEP

1536:CSIYsInH8YEIEPAjLnusp6Pr1fvIKEdTzuhOChC38usHfJY6En66y26ySCOCOdN8:VID6NEIEPAjLusp6Pr1fvIKEdTzuhOCG

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	99da58fce633d2a79fb694433c12efcf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Internet Explorer\Main	reg.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://72.29.89.174/google/"	reg.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 3616	1144	99da58fce633d2a79fb694433c12efcf.exe	85
PID 1144 wrote to memory of 3616	1144	99da58fce633d2a79fb694433c12efcf.exe	85
PID 1144 wrote to memory of 3616	1144	99da58fce633d2a79fb694433c12efcf.exe	85
PID 3616 wrote to memory of 1596	3616	cmd.exe	87
PID 3616 wrote to memory of 1596	3616	cmd.exe	87
PID 3616 wrote to memory of 1596	3616	cmd.exe	87
PID 3616 wrote to memory of 4300	3616	cmd.exe	90
PID 3616 wrote to memory of 4300	3616	cmd.exe	90
PID 3616 wrote to memory of 4300	3616	cmd.exe	90
PID 3616 wrote to memory of 3352	3616	cmd.exe	91
PID 3616 wrote to memory of 3352	3616	cmd.exe	91
PID 3616 wrote to memory of 3352	3616	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\99da58fce633d2a79fb694433c12efcf.exe
"C:\Users\Admin\AppData\Local\Temp\99da58fce633d2a79fb694433c12efcf.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fchdqcly.bat" "
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dw.vbs"
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v s.exe /t REG_SZ /d C:\C:\Windows\System32\drivers\etc\s.exe"
    3⤵
    PID:4300
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://72.29.89.174/google/" /f
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:3352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dw.vbs

Filesize
293B

MD5
661b2c4908dcb92333f4f08e2e2ff4c5

SHA1
4f613d04787e67113cfc5ae029f187f44076ff3f

SHA256
0dbec3da4337a9d03ddc46f238d0ea761430cefda9ad446aaa018dbd3c67ae63

SHA512
64186efff55ebed24d6bd23e0b09fdd339cf4c1bb5dd9bd34c2164ab6d260086f9014656a5ec85f829eff64b579dd1fa4a5f43a49c6a42faf9406dbd2e34146d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fchdqcly.bat

Filesize
1KB

MD5
934c6cc4705e48e0e253672ad339c593

SHA1
977668dd46acfe34e6a64f4edd7e49e7e019f521

SHA256
0de8891ec7aa2db6cb5f28fb160bd9fe953cb4f085d6337003b284bea9472c68

SHA512
9f41b11b45aac167ebcc476176ea6232f99a36eab3ec14dab6cdb6263ba337490a07e845b1340342dddd5a75dbe1c35aeb6b7d62b392f4c9c50e1a82260b5ec0

Download Submit
memory/1144-3-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads